diff options
Diffstat (limited to 'src/end_entity.rs')
-rw-r--r-- | src/end_entity.rs | 54 |
1 files changed, 45 insertions, 9 deletions
diff --git a/src/end_entity.rs b/src/end_entity.rs index 8c0650a..cfe9ef1 100644 --- a/src/end_entity.rs +++ b/src/end_entity.rs @@ -13,7 +13,7 @@ // OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. use crate::{ - cert, name, signed_data, verify_cert, DnsNameRef, Error, SignatureAlgorithm, Time, + cert, name, signed_data, verify_cert, DnsNameRef, Error, ErrorExt, SignatureAlgorithm, Time, TlsClientTrustAnchors, TlsServerTrustAnchors, }; @@ -79,6 +79,25 @@ impl<'a> EndEntityCert<'a> { &self.inner } + /// Backward-SemVer-compatible wrapper around `verify_is_valid_tls_server_cert_ext`. + /// + /// Errors that aren't representable as an `Error` are mapped to `Error::UnknownIssuer`. + pub fn verify_is_valid_tls_server_cert( + &self, + supported_sig_algs: &[&SignatureAlgorithm], + trust_anchors: &TlsServerTrustAnchors, + intermediate_certs: &[&[u8]], + time: Time, + ) -> Result<(), Error> { + self.verify_is_valid_tls_server_cert_ext( + supported_sig_algs, + trust_anchors, + intermediate_certs, + time, + ) + .map_err(ErrorExt::into_error_lossy) + } + /// Verifies that the end-entity certificate is valid for use by a TLS /// server. /// @@ -89,13 +108,13 @@ impl<'a> EndEntityCert<'a> { /// intermediate certificates that the server sent in the TLS handshake. /// `time` is the time for which the validation is effective (usually the /// current time). - pub fn verify_is_valid_tls_server_cert( + pub fn verify_is_valid_tls_server_cert_ext( &self, supported_sig_algs: &[&SignatureAlgorithm], &TlsServerTrustAnchors(trust_anchors): &TlsServerTrustAnchors, intermediate_certs: &[&[u8]], time: Time, - ) -> Result<(), Error> { + ) -> Result<(), ErrorExt> { verify_cert::build_chain( verify_cert::EKU_SERVER_AUTH, supported_sig_algs, @@ -103,10 +122,28 @@ impl<'a> EndEntityCert<'a> { intermediate_certs, &self.inner, time, - 0, ) } + /// Backward-SemVer-compatible wrapper around `verify_is_valid_tls_client_cert_ext`. + /// + /// Errors that aren't representable as an `Error` are mapped to `Error::UnknownIssuer`. + pub fn verify_is_valid_tls_client_cert( + &self, + supported_sig_algs: &[&SignatureAlgorithm], + trust_anchors: &TlsClientTrustAnchors, + intermediate_certs: &[&[u8]], + time: Time, + ) -> Result<(), Error> { + self.verify_is_valid_tls_client_cert_ext( + supported_sig_algs, + trust_anchors, + intermediate_certs, + time, + ) + .map_err(ErrorExt::into_error_lossy) + } + /// Verifies that the end-entity certificate is valid for use by a TLS /// client. /// @@ -121,13 +158,13 @@ impl<'a> EndEntityCert<'a> { /// `cert` is the purported end-entity certificate of the client. `time` is /// the time for which the validation is effective (usually the current /// time). - pub fn verify_is_valid_tls_client_cert( + pub fn verify_is_valid_tls_client_cert_ext( &self, supported_sig_algs: &[&SignatureAlgorithm], &TlsClientTrustAnchors(trust_anchors): &TlsClientTrustAnchors, intermediate_certs: &[&[u8]], time: Time, - ) -> Result<(), Error> { + ) -> Result<(), ErrorExt> { verify_cert::build_chain( verify_cert::EKU_CLIENT_AUTH, supported_sig_algs, @@ -135,13 +172,12 @@ impl<'a> EndEntityCert<'a> { intermediate_certs, &self.inner, time, - 0, ) } /// Verifies that the certificate is valid for the given DNS host name. pub fn verify_is_valid_for_dns_name(&self, dns_name: DnsNameRef) -> Result<(), Error> { - name::verify_cert_dns_name(&self, dns_name) + name::verify_cert_dns_name(self, dns_name) } /// Verifies that the certificate is valid for at least one of the given DNS @@ -182,7 +218,7 @@ impl<'a> EndEntityCert<'a> { /// `DigitallySigned.algorithm` of TLS type `SignatureAndHashAlgorithm`. In /// TLS 1.2 a single `SignatureAndHashAlgorithm` may map to multiple /// `SignatureAlgorithm`s. For example, a TLS 1.2 - /// `ignatureAndHashAlgorithm` of (ECDSA, SHA-256) may map to any or all + /// `SignatureAndHashAlgorithm` of (ECDSA, SHA-256) may map to any or all /// of {`ECDSA_P256_SHA256`, `ECDSA_P384_SHA256`}, depending on how the TLS /// implementation is configured. /// |